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(54) Method and apparatus for implementing hierarchical electronic cash 



(57) A user U generates a signature verification key 
N(j, a signature key SS U and a cipher key K, enciphers 
(X.Ny) by a public key into E|(X t K,Nu) and sends the 
enciphered information to a bank together with user 
information U and the amount of money X. The bank 
registers the information U and E ( in a user data base in 
correspondence with each other, then withdraws the 
amount of money X from a user's bank account and 
sends information (X,E|) to an electronic cash issuer 
together with a bank signature S B (X,E,) for the informa- 
tion. The issuer deciphers the enciphered information E, 
by a secret key to obtain the information (X,N(j), then 
registers the information E| and the key Ny in an inspec- 
tion data base in correspondence with each other, and 
enciphers the signature S t (X,N,j) attached to the key N u 
by the key K into E K (S t ), which is sent to the user via the 
bank. The user deciphers the information E K by the key 
K to obtain the issuer signature S t and sends to a shop, 
as electronic cash C, information containing the key N u 
and the issuer signature S[. The shop verifies the valid- 
ity of the issuer signature and the suer signature and, if 
they are valid, approves payment in an amount y. The 
shop sends data H of communication with the user to 
the issuer for settlement of accounts, and the issuer 
makes a check to see if the key N y in the data H is reg- 
istered in the inspection data base. 
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Description 

BACKGROUND OF THE INVENTION 

The present invention relates to a method and 5 
apparatus for implementing hierarchical electronic cash 
through utilization of a telecommunication system or 
readable /writable storage such as a smart card. 

In recent years there has been popularized an elec- 
tronic funds transfer employing a telecommunication io 
system. In general, a certificate convertible into money, 
such as a draft or check, has a symbolic function of its 
own (which guarantees its possessor to the rights 
stated thereon). When handled in the telecommunica- 
tion system, the certificate is digitized data, which could 15 
easily be copied for repeated arbitrary or unfair conver- 
sion into money. This problem arises as well in the 
implementation of electronic cash such as a prepaid 
card, because it could also be copied for repeated arbi- 
trary or unfair conversion into money or purchase of 20 
merchandise. On the other hand, the credit card is 
essentially free from the danger of such double usage, 
but instead it has a disadvantage that the whole history 
of customer's use of the card becomes known to a credit 
card issuing company (that is, user privacy is not pre- 25 
served). As a solution to these problems, there has 
been proposed a scheme that uses a card having a 
computation facility and devises the exchange of data 
between a card reader and the card for its conversion 
into money to thereby ensure user privacy and detects 30 
its double usage. This is disclosed in, for example, 
Chaum, Fiat and Naor, "Untraceable Electronic Cash," 
Proc. Of CRYPTO *88. 

With the Chaum et al. scheme, however, it is neces- 
sary, for preserving security to some extent (the proba- 35 
bility of success in overspending is 1/2 30 , for instance), 
that three procedures of inquiry, response and verifica- 
tion in the processing of user's payment of electronic 
cash to a shop be repeated by the number of times (30 
times, for example) corresponding to the security 40 
intended to provide-this significantly increases the vol- 
ume of communication required. Another problem is 
indivisibility of electronic cash. 

The principle for divisional use of electronic cash 
proposed so far is based on mathematically ingenious 45 
logic that utilizes a hierarchial structure as disclosed in 
U.S. Patent No. 5,242,162, for instance. However, the 
actual implementation of this conventional scheme 
involves many procedures and large computational 
loads. 50 

The electronic cash implementing system is config- 
ured primarily on the assumption that the same financial 
institution both issues electronic cash and manages 
users' accounts, and consequently, the electronic cash 
issued by the financial institution returns thereto from 55 
the user via shops and banks. Hence, it is impossible to 
keep a watch on the amount of electronic cash issued 
and circulated in financial circles. 



SUMMARY OF THE INVENTION 

It is therefore an object of the present invention to 
provide an electronic cash implementing method which 
ensures user privacy and prevents abuses of electronic 
cash but permits reduction of the amount of communi- 
cation involved in the payment of electronic cash and its 
divisional use and makes it possible to keep under sur- 
veillance the amount of electronic cash issued and cir- 
culated throughout the financial world. 

Another object of the present invention is to provide 
an apparatus for implementing the above-mentioned 
electronic cash scheme. 

According to the present invention, there is pro- 
vided an electronic cash implementing method for an 
electronic cash system composed of an electronic cash 
issuer, a bank which manages a user's account, an 
electronic cash user, and a shop which receives pay- 
ment by electronic cash, the method comprising: 

step (1) wherein the electronic cash issuer opens 
an encipher function E 1 and a signature verification 
function to the public; 

step (2) wherein the user sends to the bank user 
information U and a face value X for requesting the 
bank to withdraw an amount of money X from his 
bank account and issue electronic cash of the face 
value X, while at the same time the user generates 
verification key N y for his signature and a cipher 
key K, then enciphers the signature verification key 
Ny and the cipher key K to generate enciphered 
user information E^X^Ny, and sends it to the 
bank; 

step (3) wherein the bank withdraws the amount of 
money X from the user's bank account, and sends 
information {X,E, (X,K,Nu)} as an electronic cash 
issuance request to the electronic cash issuer, 
while at the same time the bank records in a user 
data base the user name U and the enciphered 
user information E|(X,K t Nu) in correspondence with 
each other; 

step (4) wherein the electronic cash issuer uses a 
decipher function D, to decipher the enciphered 
user information E|(X,K,Nu) to obtain information 
(X.K.Nu), generates information n=g(N u ) contain- 
ing the signature verification key N u , signs the infor- 
mation n and the amount of money X to create an 
issuer signature S,(X,n), then registers the informa- 
tion n and EifX.K.lsy in an inspection data base in 
correspondence with each other, and calculates an 
enciphered issuer signature E K (S,(X,n)) obtained 
by enciphering the issuer signature S,(X,n) by the 
cipher key K, and sends the enciphered issuer sig- 
nature E K (S|(X,n)) to the user; 
step (5) wherein the user deciphers the enciphered 
issuer signature E K (S,(X,n)) by the key K into the 
issuer signature S,(X,n); 

step (6) wherein the user sends, as electronic cash 
C of the face value X, information containing 
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{N,j,X,S,(X,n)} to the shop for the payment thereto 
in an amount y; 

step (7) wherein the shop verifies the validity of the 
electronic cash C and, if valid, receives the pay- 
ment in the amount y; 5 
step (8) wherein the shop sends to the electronic 
cash issuer all communication data H concerning 
the payment by the electronic cash and requests 
the issuer to settle accounts with the shop; and 
step (9) wherein the electronic cash issuer obtains, 10 
with the signature verification key Ny in the commu- 
nication data H, the information n=g(N u ) contain- 
ing the key N U( makes a check to see if the 
information n is already registered in the inspection 
data base, verifies the validity of the electronic cash is 
and, if valid, instructs the bank to transfer the 
amount of payment y to a bank account of the shop. 

The above method may be modified so that the 
electronic cash issuer generates and gives the user sig- 20 
nature verification key N u to the user. 

The user apparatus for the electronic cash imple- 
menting method according to the present invention 
comprises: means for generating a cipher key K; means 
for generating a signature generating key SSy and the 25 
signature verification key N a ; encipher means for enci- 
phering the amount of money X and the keys K and N y 
to obtain the information E|(X,K.Nu); means for sending 
the user information U, the amount of money X and the 
information E|(X,K,Nu) to the bank; decipher means for 30 
deciphering enciphered information received via the 
bank from the electronic cash issuer to obtain the issuer 
signature SjfX.Nu); and signature generating means for 
attaching the user signature to information e received 
from the shop and the amount of payment y to generate 35 
a signature Su(e,y) and for sending the signature 
Su(e,y) to the shop. 

The bank apparatus for the electronic cash imple- 
menting method according to the present invention 
comprises: a user data base for storing the enciphered 40 
information E|(X,K,Nu) and the user information U in 
correspondence with each other; means for sending, to 
the electronic cash issuer, information Sb(X,E|(X,K,Nli)) 
obtained by attaching a bank signature to the informa- 
tion X and E ( , together with information X and Ej 45 
(X.K.Nu); and means for retrieving from the inspection 
data base the user information U corresponding to the 
enciphered user information E[(X,K,Nu) sent from the 
electronic cash issuer. 

The electronic cash issuer apparatus for the elec- so 
tronic cash implementing method according to the 
present invention comprises: decipher means for deci- 
phering the enciphered information E| from the bank to 
obtain the user signature verification key Ny; an inspec- 
tion data base for registering the user signature verifica- 55 
tion key H u and the enciphered information E t in 
correspondence with each other; signing means for 
attaching an issuer signature to information (X.Ny) to 
obtain an issuer signature Sj(X,Nu); means for enci- 



phering and sending the issuer signature S|(X,Nu) to 
the user; means for retrieving the inspection data base 
for the registration of the signature verification key Nu 
contained in the communication data H received from 
the shop; means for updating the total amount of money 
Y paid so far, held in the inspection data base in corre- 
spondence with the signature verification key Ny, with 
the amount of payment y to Y+y; and means which com- 
pares the updated total amount of money Y with the 
face value X of the electronic cash issued and, if X<Y, 
decides that the payment by the user is improper, then 
cancels the corresponding registration in the inspection 
data base and sends the corresponding enciphered 
information E|(X,K,Nu) to the bank. 

The shop apparatus for the electronic cash imple- 
menting method according to the present invention 
comprises: means for verifying the issuer signature S ( in 
the electronic cash C received from the user; means for 
generating and sending the arbitrary information e to 
the user; means for verifying the user signature Su 
received from the user; and means which, if either of the 
signatures is valid, receives payment of the amount y by 
electronic cash and sends the data H of communication 
with the user to the electronic cash issuer. 

According to the present invention, the institution 
for issuing electronic cash (the electronic cash issuer) 
and the financial institution (bank) which manages the 
user's account are hierarchically separated. Through 
utilization of the public key cipher of the issuer in the 
processing for issuing therefrom electronic cash, there 
is no possibility that information peculiar to the user 
becomes known to the bank. 

Further, the electronic cash issuer and the bank 
manage the user information independently of each 
other, and when an abuse of the electronic cash is 
found out, the pieces of information held by them are 
combined to specify the abuser. 

On the other hand, the use of the signature key of 
the user in the processing for his payment permits divi- 
sional use of electronic cash. That is, the user signature 
to the amount of payment could be presented as evi- 
dence of an abuse or overspending if the user pays 
more than a predetermined amount of money. 

BRIEF DESCRIPTION OF THE DRAWINGS 

Fig. 1 is a block diagram schematically illustrating 
an example of the system configuration to which 
the method of the present invention is applied; 
Fig. 2 is a block diagram illustrating a functional 
configuration in the processing for the issuance of 
electronic cash according to the method of the 
present invention; 

Fig. 3 is a block diagram illustrating a functional 
configuration in the processing for the payment by 
electronic cash according to the method of the 
present invention; 

Fig. 4 is a block diagram illustrating a functional 
configuration in the processing for the settlement of 
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electronic cash according to the method of the 
present invention; 

Fig. 5 is a block diagram illustrating an example of 

the functional configuration of the user apparatus 

according to the present invention; 

Fig. 6 is a block diagram illustrating an example of 

the functional configuration of the bank apparatus 

according to the present invention; 

Fig. 7 is a block diagram illustrating an example of 

the functional configuration of the shop apparatus 

according to the present invention; and 

Fig. 8 is a block diagram illustrating an example of 

the functional configuration of the issuer apparatus 

according to the present invention. 

DESCRIPTION OF THE PREFERRED EMBODI- 
MENTS 

In Fig. 1 there is schematically shown an example 
of the system configuration to which the method of the 
present invention is applied. In the system there are 
interconnected via communication lines or the like an 
apparatus of an electronic cash issuing institution (here- 
inafter referred to simply as an issuer) 100, an appara- 
tus of an institution which manages user information 
(account information) (hereinafter referred to simply as 
a bank) 200, an apparatus of a person who has elec- 
tronic cash issued (hereinafter referred to simply as a 
user) 300 and an apparatus of an institution which 
receives electronic cash from the user (hereinafter 
referred to simply as a shop) 400. These apparatus may 
also be interconnected via a smart card or the like. 

According to the present invention, when the user 
300 requests the bank 200 to perform a procedure for 
issuing electronic cash of the face value X, the bank 200 
withdraws the amount of money X from the bank 
account of the user 300 and sends to the issuer 100 the 
user's request together with a digital signature of the 
bank 200 indicating that the request is valid. The issuer 
100 verifies the validity of the request for issuance of 
electronic cash and issues electronic cash of the face 
value X to the user 300. 

In this instance, the user 300 generates, as elec- 
tronic cash issuance requesting information, informa- 
tion containing a signature verification key N y that 
would be needed by a shop 400 to verify the user signa- 
ture in the procedure for the user to pay electronic cash 
to the shop 400. If the signature verification key N y is 
contained in an exposed form in the issuance request 
information, the bank 200 can easily find out the verifi- 
cation key N u of the user 300 requesting the issuance of 
electronic cash. Consequently, if the bank 200 con- 
spires with shops, the former can get information on the 
user (user information U) who paid electronic cash to 
the latter, and hence the bank can get to know how 
much the user spent the electronic cash at which shop; 
that is, user privacy cannot be provided. 

To ensure user privacy, in this embodiment the user 
300 enciphers the information containing the signature 



verification key N y by using a public encipher key K of 
the issuer 100 and sends the enciphered information to 
the bank 200 to request it to carry out the procedure for 
the issuance of electronic cash. The bank 200 stores 

5 the enciphered request information E^X.K.Nu) in a data 
base in correspondence with the user name U, while at 
the same time it sends the request information together 
with the bank signature. This embodiment will be 
described below in detail. 

10 While this embodiment will be described on the 
assumption that n=(x,N u ) , it is also possible, in gen- 
eral, to use an arbitrary identity function g to transform 
(x,Nn) to n=g (x,N u ) and use n as a value (information) 
corresponding to (x.Nu). In this embodiment, g is con- 

15 sidered as an identity function and information 
EtfX.K.Nu) may be considered as a combination of 
E,(X,K) and E,(Nu). 

(1) Processing for Issuance of Electronic Cash 

20 

A description will be given first, with reference to 
Fig. 2, of how the user has a bank issue electronic cash. 

Let it be assumed that the issuer 100 and the bank 
200 generate in advance and store public and secret 
25 keys for a public key cryptosystem and a digital signa- 
ture system (see, for example, Bruce Schnier. "Applied 
Cryptography." John Wiley, 1994). The issuer 100 
makes public a public key PE, for public key cryptogra- 
phy and a public key PS t for digital signature verification 
30 use. In the following an encipher function Ep Et using the 
public key PE, of the issuer 1 00 will be described as E f . 
To make the public key PEj public is predicated on the 
fact that the encipher function E ( using it is also made 
public. Similarly, to make public the public key PS ( for 
35 issuer digital signature verification use is predicated on 
the fact that a signature verification function V,=V PSI 
using the public key PS| is also made public. The bank 
200 also makes public the public key PS B for digital sig- 
nature verification use and a signature verification func- 
40 tion V B =V PSB using it. 

Incidentally, the issuer 100 secretly holds in a mem- 
ory 10M a secret key SE| corresponding to a decipher 
function D,=D SEI , and the public key PE, to be used 
with the encipher function E,; that is, the key SE, is held 
in secrecy. Further, the issuer 100 secretly holds in the 
memory 10M using a secret key SS| to be used with a 
signature generating function S ,=S 53, and a public key 
PS| to be used with the signature verification function V, 
for signature verification; that is, the key SS, is held in 
secrecy Likewise, the bank 200 secretly holds in a 
memory 20M a secret key SS B to be used with a signa- 
ture generating function S B =S SSB and the public key 
PS B to be used with the signature verification function 
V B - 

To make a request for the issuance of electronic 
cash of a face value X, the user 300 carries out the fol- 
lowing steps to request the bank 200 to draw out the 
amount of money X from his bank account. 

Step 1: The user 300 generates a signature gener- 



50 



4 



BNSDOCID: <EP 081 0563 A2J_> 



7 



EP 0 810 563 A2 



8 



ating key SSy, a signature generating function Sy and a 
signature verification key Ny in a digital signature key 
generating section 301 . Further, the user 300 generates 
a cipher key K in a cipher key generating section 302 for 
a secret key cryptosystem (see, for example, Bruce 5 
Schnier, "Applied Cryptography," John Wiley, 1994). 
Next, the user 300 uses the opened cipher function E, 
and the encipher key PE| of the issuer 100 to encipher 
information (X.K.Ny) in encipher section 303 into an 
electronic cash issuance request E|(X, K.Ny) and sends w 
it to the bank 200 together with a message requesting it 
to withdraw the amount of X from the bank account of 
the user 300. The cipher key K is one that the issuer 1 00 
uses to encipher a response Sj(X,Ny) to the user 300 
described later on. It is desirable that this message be 75 
authenticated by a digital signature of the user 300, for 
instance. 

Step 2: The bank 200 checks the balance in the 
bank account of the user 300, then subtracts the count 
X from the balance, and records the user name U and 20 
the request E,(X, K,Ny) in a pair in a user data base 
201. The withdrawal request message of the user 300 
may also be recorded. The request message, if signed, 
in particular, will possess the probative value of evi- 
dence. The withdrawal from the user's bank account 25 
may be made anytime after checking the balance. 

Next, the bank 200 calculates its digital signature 
S B =S B (X.E ,(X,K.Ny)) for X and E,(X.K,Ny) in a signa- 
ture generating section 202 and sends the information 
{X t E,(X, K,Nu)S B } to the user 1 00. so 

Step 3: The issuer 100 verifies the validity of the 
signature S B from the bank 200 by the signature verifi- 
cation function V B in a signature verification section 101 
using the signature verification key PS B . If the signature 
S B is valid, then the issuer 100 deciphers the enci- 35 
phered information E|(X,K,Ny) by using the secret key 
SE ( in a decipher section 102 to obtain the information 
X, K and Ny. After this, the issuer 1 00 compares the 
information X sent from the bank 200 and the deci- 
phered information X in a compare section 103 to see if 40 
they are identical. If so, the issuer 100 creates, in a sig- 
nature generating section 104, a signature S ( (X t Nu) for 
the information (X,Ny) containing the signature verifica- 
tion key N y of the user 300. 

Moreover, the issuer 100 registers a triad of infor- 45 
mation Ny, E|(X,K,Ny) and K and information B on the 
bank 200 (its name or identification number) in an 
inspection data base 105 in correspondence with the 
initial value Y=0 of the total amount of money used Y. 

Additionally, the issuer 1 00 enciphers the signature so 
S|(X,Ny) by the encipher key K in an encipher section 
106 to obtain enciphered information E K (S t (X, Ny)), 
which is sent to the band 200. 

Step 4: The bank 200 sends to the user 300 the 
enciphered information E K (S t (X,Nu)) sent from the 55 
issuer 100. 

Step 5: The user 300 deciphers the enciphered 
information E K (S|(X,Nu)) by the key K in a decipher sec- 
tion 304 to obtain the signature S|(X,Ny) of the issuer 



100. 

Then, the user 300 stores in a memory 30M the ini- 
tial value of the balance x of electronic cash set at x=X 
and the information C={x,X,N u ,S,(X,N u )} as elec- 
tronic cash of the face value X, together with the infor- 
mation x, Ny and SSy. In the following description the 
electronic cash C will be called electronic cash issued 
by the issuer 100. 

(2) Payment by Electronic Cash 

Next, a description will be given, with reference to 
Fig. 3, of how the user 300 pays the amount of money y 
(y<x) to the shop 400 by the electronic cash C of the 
face value X and the balance x. 

Step 1 : The user 300 displays on a display section 
30D the balance x read out of the memory 30M and 
makes sure that the balance x is more than the amount 
of money y to be paid, and then sends the electronic 
cash C^x.X.Ny.S^X.Ny)} to the shop 400. 

Step 2: The shop 400 verifies the validity of the sig- 
nature S|(X,Nu) of the electronic cash issuer 100 by the 
public key PS t for verification of the signature of the 
issuer 100 in a signature verification section (of a signa- 
ture verification V t ) 401. If the issuer signature is valid, 
the shop 400 generates inquiry information 
e=f(TIME,W) for verification from information W corre- 
sponding to the shop 400 (such as its identifier IDw or 
signature verification key N w ) by a one-way function 
calculating section 402 using a one-way function f, and 
the shop 400 sends the information TIME, W and e to 
the user 300. 

Step 3: The user 300 verifies the validity of the 
inquiry information e=f(TIME, W) by a one-way function 
calculating section 306 and a compare section 307. If it 
is valid, the user 300 calculates by a signature generat- 
ing section 305 a user s signature Sy(e,y) for the infor- 
mation e sent thereto and the payment y (y<x) by the 
signature generating key SSy and sends the informa- 
tion y and Su(e.y) to the shop 400. 

Step 4: The shop 400 verifies the validity of the user 
signature Su(e,y) by a signature verification section (of 
a signature verification function Vy) 404 using the sig- 
nature verification key Ny received from the user 300 
and verifies y <x by a compare section 403. If either of 
them is valid, the shop 400 approves the payment of the 
amount of money concerned y by electronic cash and 
sends a decision result OK to the user 300, and if at 
least one of them is invalid, the shop 400 sends a deci- 
sion result NG declining the payment by electronic cash. 

The shop 400 may verify the validity of the signa- 
ture S,(X,Ny) of the issuer 100 after sending the infor- 
mation TIME, W and e to the user 300. 

Step 5: When receiving the decision result OK from 
the shop 400, the user 300 updates, by a subtract sec- 
tion 314, the balance x in the memory 30M with x<-x-y. 

(3) Settlement of Accounts 

Turning next to Fig. 4, a method for settlement of 
accounts between the shop 400 and the bank 200 will 
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be described. 

Step 1 : In the first place, the shop 400 sends all 
communication data H={x,X,N u ,S,(X, N,j),TIME, 
W.e,y,S u (e,y)} between it and the user 300 to the 
issuer 100. 

Step 2: The issuer 100 makes a check to see if the 
pair (X.Nu) of the signature verification key of the 
user 300 and the face value X contained in the commu- 
nication data H is registered in the inspection data base 
105. If it is registered, the issuer 100 updates, by an add 
section 107 and a compare section 103, the sum total Y 
of payments recorded corresponding to the information 
(X.Nu) with Y+y->Y and makes a check again to see it 
the updated value Y is smaller than the face value X. 
Further, the issuer 100 records the communication data 
H in a history data base 108. It is preferable that the 
amount of data stored in the history data base 108 be 
reduced by setting a term to the storage of every data 
therein and eliminating therefrom the data when the 
term expires. 

If the information (X.Ny) is already registered in the 
inspection data base 105, the issuer 100 instructs the 
bank 200, which corresponds to the bank information B 
recorded in correspondence with the registered infor- 
mation (X.Ng), to transfer the amount of money y to the 
bank account of the shop 400. In this case, the bank 
with which the shop 400 has its account need not be the 
same as the bank 200 with which the user 300 has its 
account. 

If Y+y=X , the issuer 100 eliminates the information 
(X,N(j) and the corresponding total sum of money used 
Y and bank information B from the inspection data base 
105 because all the electronic cash was spent. 

When the information (X.Ny) is not registered in the 
inspection data base 105, the issuer 100 decides that 
the user 300 overspent, and it performs processing for 
specifying the overspender. If Y+y>X, the issuer 100 
deletes the information (X.Ny) and the corresponding 
total sum of money used Y and bank information B from 
the inspection data base 105. Also in this case, the 
issuer 100 decides that the user 300 overspent, and it 
carries out the overspender specifying processing. 

Step 3: In the overspender specifying processing, 
prior to the elimination of the information (X.Ny) from 
the inspection data base 105, the issuer 100 retrieves 
from the history data base 108 information (all commu- 
nication data H concerning the overspending) that is 
used as evidence of overspending and sends the 
retrieved information to the bank 200 along with the 
information (X.K.Ny) and E|(X,K,N,j) also retrieved from 
the inspection data base 105. The bank 200 verifies the 
validity of the evidence of overspending by a signature 
verification key N u in a signature verification section 
203 and, if it is valid, specifies overspender information 
U by retrieving the user data base 201 by using the 
information E^X.K.Ny) as a key. 

In the above embodiment, when the same user is 
allowed to simultaneously have plural pieces of elec- 
tronic cash of the same face value X, the user needs 



only to create an arbitrary variable, for example, time 
information TM and demand the issuance of electronic 
cash corresponding to information (XXN^TM). Alter- 
natively, if a different verification key N v is generated for 

5 each request for issuance of electronic cash, such vari- 
able as TM may not be used. 

While in the above the user has been described to 
create the signature verification key N u , provision may 
be made to generate it by some other institution , for 
10 example, the issuer 100, so as to lighten the load of 
processing on the user. In such an instance, the user 
300 sends information {U,X.E,(X,K)} to the bank 200, 
and as in the case of receiving the enciphered elec- 
tronic cash issuance request E f (X,K), the bank 200 reg- 

15 isters the information E|(X,K) in the user data base 201 
in correspondence with the user information U, while at 
the same time it signs the information {X,E|(X,K)} in the 
signature generating section 202 to generate the infor- 
mation S B =S B (X,E,(X,K)) , which is sent to the issuer 

20 100 together with the information {X,E, (X,K)}. The 
issuer 100 also verifies the validity of the bank signature 
Sb(X,E,(X,K)) in the signature verification section 101 
and deciphers the information E t (X,K) into (X,K), after 
which the issuer 100 generates the signature verifica- 

25 tion key N y in a broken-lined key generating section 1 07 
and, as in the above, attaches its signature to the infor- 
mation (X.Ny) to create the signed information 
S|(X,Nu). then enciphers it and the key N y to obtain 
Ek(N u .S|(X,N u )), which is sent to the user 300 via the 

30 bank 200. In either case, it is also possible to employ a 
system configuration in which the issuer 100 transforms 
the key Ny by an arbitrary function to obtain information 
n =9(N»j) instead of obtaining the information (X.Nu), 
then attaches its signature to (X,n) to obtain signed 

35 information S ( (X,n), and enciphers it together with the 
key Ny, thereafter sending them to the user 300. In such 
an instance, the issuer 100 registers the information 
E f (X,K, Ny) or E,(X,K) in the inspection data base 105 in 
correspondence with the information n. The user uses 

40 the information {x.X,N,j,S|(X,n)} as the electronic cash 
C. In the settlement of an account for the payment by 
the electronic cash C, the issuer 100 derives the infor- 
mation n=g(N u ) from the signature verification key N v 
in the updated data H received from the shop 400 and 

45 makes a check to see if the informal. , is registered in 
the inspection data base 105. 

According to the above-described electronic cash 
implementing method of the present invention, the 
issuer 100 issues all electronic cash in response to a 

so request of each bank 200, and hence it can always keep 
track of the total amount of electronic cash in circulation. 

Moreover, since what is required of the user 300 for 
the payment to the shop 400 by electronic cash is only 
to make sure that the amount of money to be paid is 

55 smaller than the current balance x. the procedure for the 
divisional use of electronic cash is far simpler than the 
procedure disclosed in the afore-mentioned U.S. Patent 
No. 5,224,162 and the amount of communication there- 
for is also significantly small. 
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Another feature of the present invention resides in 
that the data (X.K.Ny) registered by the issuer 100 in 
the inspection data base 105 is erased when alt the cor- 
responding electronic cash is used up to the face value 
X. Hence, subsequent overspending of the electronic 5 
cash is found out at once since the data (X.K.Ny) of the 
electronic cash sent from the shop 400 to the issuer 100 
for settlement is already erased from the data base 1 05. 

Additionally, what is characteristic of this method is 
that since the data (X,K,Nu) registered in the data base 
105 for inspection is erased at the time when all the 
electronic cash is spent or its overspending is discov- 
ered, the registered data (X.K.Ny) held in the data base 
105 is limited only to those effective at that point in time. 
Accordingly, if the total amount of electronic cash issued 
remains constant to some extent, the amount of regis- 
tered data to be held in the inspection data base 105 
remains substantially unchanged and does not accumu- 
late. In contrast to this, according to the conventional 
electronic cash system, every bank needs to keep lists 
of overspent electronic cash and spent electronic cash 
(that has a possibility for overspending in future) under 
surveillance; hence, the amount of data held under sur- 
veillance accumulates with an increase in the amount of 
electronic cash issued. 

Next a description will be given, with reference to 
Figs. 5 through 8. of the functional configurations of the 
apparatus 300, 200. 400 and 100. The parts corre- 
sponding to those shown in Figs. 2 through 4 are identi- 
fied by the same reference numerals and no description 
will be repeated in connection with them. 

Fig. 5 illustrates the user apparatus 300. The user 
300 can input the amount of money X, the amount of 
payment y and the user identifier U into a control section 
309 through an input section 308 such as a keyboard. 
When the user apparatus 300 is dedicated to the user, 
the user identifier U may also be prestored in the mem- 
ory 30M in the control section 309. The amount of 
money X, the user identifier U and the enciphered elec- 
tronic cash issuance request E|(X, K,Nu) are sent via a 
sending section 310 to the bank 200, whereas the enci- 
phered information E K (S|(X,Ny)) from the issuer 100 via 
the bank 200 is received in a receiving section 31 1 . The 
keys Ny, SSy and K generated in the key generating 
section and the cipher key generating section 302 are 
once written into the memory 30M and held therein. The 
control section 309 reads out the keys N Uf K and SSy 
from the memory 30M as required and uses them to 
operate the encipher section 303, the decipher section 
304 and the signature generating section 305 at 
required points in time. The sending section 310 is also 
placed under the control of the control section 309 and 
the reception by the receiving section 31 1 is reported to 
the control section 309. 

The one-way function calculating section 306 and 
the compare section 307 are also controlled by the con- 
trol section 309 to start their operation. The control sec- 
tion 309 decides whether or not to take further steps for 
the payment of electronic cash according to the result of 



comparison in the compare section 307. The electronic 
cash C={x t X,N U( S ,(X,N u )} , the user signature Sy(e.y) 
and the amount of payment y are sent to the shop 400 
via a sending section 312 under the control of the con- 
trol section 309. The inquiry information e and the sig- 
nals TIME and W from the shop 400 are received in a 
receiving section 313 and separated into individual 
information, and the reception is reported to the control 
section 309. 

Fig. 6 is a block diagram illustrating the bank 200. In 
the memory 20M there are prestored the keys SS B and 
PS| that are used in the signature generating section 
202 and the signature verification section 203. The 
information {U, X,E,(X,K,Nu)} sent from the user 300 is 
received in a receiving section 204 and separated into 
individual information and the reception of the informa- 
tion is reported to a control section 205. The control 
section 205 controls read/write and retrieval of the user 
data base 201 and controls the signature generating 
section 202 and the signature verification section 203 to 
start their operation. Under the control of the control 
section 205 the information SBfX.EifX.K.Ny)), X and 
E|(X,K,Nu) are sent to the issuer 100 via a sending sec- 
tion 206. 

The information from the issuer 100 is received in a 
receiving section 207. and when it is an enciphered sig- 
nature E K (S|(X,Ny)) for the issuance of electronic cash, 
it is send to the user 300 via a sending section 208. The 
reception of information in the receiving section 207 is 
reported to the control section 205 and the transmission 
of information via the sending section 208 is placed 
under the control of the control section 205. When over- 
spender specifying request information containing the 
communication data H is received in the receiving sec- 
tion 207, processing for specifying the overspender is 
carried out under the control of the control section 205, 
and when the overspender is specified, it is reported to 
the outside via an output section 209 to take the neces- 
sary steps. 

Rg. 7 is a block diagram illustrating the shop 400. In 
a memory 40M there is prestored the public key PSj that 
is used in the signature verification section 404 to verify 
the signature of the issuer 100. The information from the 
user 300 is received in a receiving section 405 and sep- 
arated into individual information and the reception of 
the information is reported to a control section 406. The 
control section 406 effects operation start control of the 
signature verification sections 401 and 404, the com- 
pare section 403 and the one-way function calculating 
section 402 in response to the reception of the elec- 
tronic cash C and the reception of the user signature 
Su(e.y)- A clock 407 is provided, from which time infor- 
mation TIME is input into the control section 406. The 
information W dependent on the shop 400 is stored in 
the control section 406. The information e, TIME and W 
are sent to the user 300 via a sending section 408 under 
the control of the control section 406. The results of ver- 
ification in the signature verification sections 401 and 
404 and the result of comparison in the compare sec- 
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tion 403 are input into the control section 406, which, 
based on these inputs, sends the communication data 
H as a request for settlement to the issuer 100 via a 
sending section 409. 

Fig. 8 is a block diagram illustrating the issuer 100. 5 
in the memory 10M there are prestored the keys PE,, 
SE,, PS| and SS t generated in advance. A control sec- 
tion 110 effects operation start control of the signature 
verification section 101, the decipher section 102, the 
compare section 103, the signature generating section 10 
104, the encipher section 106, the add section 107 and 
the compare section 109 and controls write, retrieval 
and read out operations of the inspection data base 1 05 
and the history data base 108. The information 
{X l S B ,E|(X,K,N u )} from the bank 200 is received in a is 
receiving section 111 and separated into individual 
information and the reception of the information is 
reported to control section 110. The control section con- 
trols the respective sections to perform the afore-men- 
tioned processing. The information from the shop 400 is 20 
received in a receiving section 1 12 and separated into 
individual information and the afore-mentioned process- 
ing is conducted under the control of the control section 
110. When the request for settlement is approved as the 
result of the processing, the control section 110 sends 25 
via a sending section 1 1 3 the information y and W to the 
bank with which the shop 400 has its account, request- 
inc it to transfer the amount of money y to the shop's 
account. The enciphered signature E K (S,(X,Nu)) for 
electronic cash and overspender specifying request 30 
information are sent via a sending section 114 to the 
bank 200 under the control os the control section 110. 

Usually, the above-described apparatus 100, 200, 
300 and 400 are each configured so that respective 
operations are mostly processed by one electronic com- 35 
puter, or formed by several DSPs (Digital Signal Proces- 
sors); that is, each apparatus is not formed as one piece 
of hardware. 

EFFECT OF THE INVENTION 40 

As is the case with the Chaum et al. system, the 
present invention ensures user privacy and permits 
detection of overspending of electronic cash. Another 
advantage of the invention resides in that the amount of 45 
communication in the payment processing can be made 
smaller than in the Chaum et al. system. Besides, the 
electronic cash is divisible and the electronic cash 
issuer and the financial institution that manages users' 
accounts can be separated hierarchically. 50 

For example, according to the Chaum et al. 
scheme, when the probability of success in overspend- 
ing in the payment by electronic cash is 1/2 30 , process- 
ing needs to be performed 30 times, so that if the output 
size of the one-way function is assumed to be 128 bits. 55 
an amount of communication of at least 
(3x 1 28x39)= 1 1520 bits is required. 

According to the present invention, the sizes of the 
data y and e and the user signature therefor become the 



amount of communication in the payment processing. 
The total of the sizes of the data y and e (and TIME.W) 
is a maximum of about 200 bits. Assuming that the size 
of the signature is 1024 bits, the total is 1200 bits at the 
maximum. Thus, according to the present invention, the 
amount of communication that is needed for the pay- 
ment processing can be reduced by approximately 1/10 
that in the past. 

Moreover, the electronic cash issued can be 
divided and used repeatedly until the total sum of pay- 
ments reaches the face value. 

Besides, the electronic cash issuer and the finan- 
cial institutions (banks) that manage users' bank 
accounts are separated hierarchically-this enables the 
issuer to keep a watch on the amount of electronic cash 
that is issued by and returned to each bank. Accord- 
ingly, the issuer is capable of preventing the amount of 
electronic cash circulating through every bank from 
exceeding the sum total predetermined by the bank. 

It will be apparent that many modifications and var- 
iations may be effected without departing from the 
scope of the novel concepts of the present invention. 

Claims 

1. An electronic cash implementing method for an 
electronic cash system which is composed of an 
electronic cash issuer, a bank which manages 
account information of a user, a user who uses 
electronic cash for payment, and a shop which 
receives a payment by electronic cash, said method 
comprising: 

step (1) wherein said electronic cash issuer 
opens an encipher function and a signature 
verification function V 1 to the public; 
step (2) wherein said user sends to said bank 
user information U and a face value X for 
requesting said bank to withdraw an amount of 
money X from his bank account and issue elec- 
tronic cash of said face value X, while at the 
same time said user generates verification key 
N u for his signature and a cipher key K, then 
enciphers said signature verification key H u 
and said cipher key K to generate enciphered 
user information E^X.K.Nu), and sends it to 
said bank; 

step (3) wherein said bank withdraws said 
amount of money X from the user's bank 
account, and sends information {X,E, (X.K.Nu)} 
as an electronic cash issuance request to said 
electronic cash issuer, while at the same time 
said bank records in a user data base the user 
name U and said enciphered user information 
E r (X,K,Nu) in correspondence with each other; 
step (4) wherein said electronic cash issuer 
uses a decipher function D, to decipher said 
enciphered user information E,(X f K,Nu) to 
obtain information (X,K,Nu), generates infor- 
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mation n=g(N u ) containing said signature ver- 
ification key N Ut signs said information n and 
said amount of money X to create an issuer 
signature S|(X,n), then registers said informa- 
tion n and EjCX.K.Ny) in an inspection data 5 
base in correspondence with each other, and 
calculates an enciphered issuer signature 
E K (S|(X,n)) obtained by enciphering said issuer 
signature S|(X,n) by said cipher key K, and 
sends said enciphered issuer signature w 
E K (S|(X,n)) to said user; 
step (5) wherein said user deciphers said enci- 
phered issuer signature E K (S ( (X,n)) by said key 
K into said issuer signature S|(X,n); 
step (6) wherein said user sends, as electronic is 
cash C of said face value X, information con- 
taining {N Ut X,S((X,n} to said shop for the pay- 
ment thereto in an amount y; 
step (7) wherein said shop verifies the validity 
of said electronic cash C and, if valid, receives 20 
the payment in said amount y; 
step (8) wherein said shop sends to said elec- 
tronic cash issuer ail communication data H 
concerning the payment by said electronic 
cash and requests said issuer to settle 25 
accounts with said shop; and 
step (9) wherein said electronic cash issuer 
obtains, with said signature verification key N y 
in said communication data H, said information 
n=g(Nu) containing said key N y , makes a 30 
check to see if said information n is already 
registered in said inspection data base, verifies 
the validity of said electronic cash and, if valid, 
instructs said bank to transfer the amount of 
payment y to a bank account of said shop. 35 

2. An electronic cash implementing method for an 
electronic cash system which is composed of an 
electronic cash issuer, a bank which manages 
account information of a user, a user who uses 40 
electronic cash for payment, and a shop which 
receives a payment by electronic cash, said method 
comprising: 

step (1) wherein said electronic cash issuer 45 
opens an encipher function and a signature 
verification function to the public; 
step (2) wherein said user sends ,to said bank 
user information U and a face value X for 
requesting said bank to withdraw an amount of so 
money Xfrom his bank account and issue elec- 
tronic cash of said face value X, while at the 
same time said user generates a cipher key K, 
then enciphers said amount of money X and 
said cipher key K to generate enciphered user 55 
information E|(X,K), and sends it to said bank; 
step (3) wherein said bank withdraws said 
amount of money X from the user's bank 
account, and sends information {X,E| (X,K)} as 



an electronic cash issuance request to said 
electronic cash issuer, while at the same time 
said bank records in a user data base the user 
name U and said enciphered user information 
E|(X,K) in correspondence with each other; 
step (4) wherein said electronic cash issuer 
responds to said electronic cash issuance 
request to generate a signature verification key 
N u for said user and information n=g(N 0 ) con- 
taining said signature verification key Ny, regis- 
ters said information n and E t (X,K) in an 
inspection data base in correspondence with 
each other, deciphers said received informa- 
tion E|(X,K) by a decipher function D ( to obtain 
information (X,K), creates an issuer signature 
S|(X,n), then calculates an enciphered issuer 
signature E^Nu.SifX.n)) obtained by encipher- 
ing said issuer signature S|(X,n) by said cipher 
key K, and sends said enciphered issuer signa- 
ture E^Ny.SiCX.n)) to said user; 
step (5) wherein said user deciphers said enci- 
phered issuer signature EKfNu.SitX.n)) by said 
key K into said issuer signature S|(X,n); 
step (6) wherein said user sends, as electronic 
cash C of said face value X, information con- 
taining {N Ut X,S|(X.n} to said shop for the pay- 
ment thereto in an amount y; 
step (7) wherein said shop verifies the validity 
of said electronic cash C by said signature ver- 
ification key Ny and, if valid, receives the pay- 
ment in said amount y; 

step (8) wherein said shop sends to said elec- 
tronic cash issuer all communication data H 
concerning the payment by said electronic 
cash and requests said issuer to settle 
accounts with said shop; and 
step (9) wherein said electronic cash issuer 
obtains, with said signature verification key Ny 
in said communication data H, said information 
n=g(N y ) , makes a check to see if said infor- 
mation n is already registered in said inspec- 
tion data base, verifies the validity of said 
electronic cash and, if valid, instructs said bank 
to transfer the amount of payment y to a bank 
account of said shop. 

3. The method of claim 1 or 2, wherein said step (3) is 
a step wherein said bank attaches a signature 
S B (X,E t ) to information (X,E,) sent from said user 
and sends it to said issuer together with said infor- 
mation (X,E,), and said step (4) is a step wherein 
said issuer verifies the validity of said signature 
S B (X.E|) and. if valid, deciphers said information by 
said decipher function D|, compares said deci- 
phered amount of money X and the amount of 
money X sent from said bank and, rf they match, 
generates said issuer signature S t . 

4, The method of claim 1 or 2, wherein said step (7) 
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comprises: 

step (7a) wherein said shop receives from said 
user said electronic cash C containing a bal- 
ance x, then generates arbitrary information e 5 
and sends it to said user; 
step (7b) wherein said user calculates a signa- 
ture S u (e,y) of said user for said information e 
sent from said shop and said amount of pay- 
ment y and sends said signature Sufe.y) to 10 
said shop together with said amount of pay- 
ment y; and 

step (7c) wherein said shop verifies the validity 
of said issuer signature S|(X,n) by a public key 
PS| for the verification of said issuer signature is 
and a signature verification function V|, further 
verifies the validity of said user signature 
Su(e>y) by said user signature verification key 
Ny contained in said electronic cash C 
received from said user, while at the same time 20 
said shop verifies if said balance x satisfies a 
condition y<x, and, if the results of all the verifi- 
cations are valid, approves the payment by said 
electronic cash C of said amount y. 

25 

5. The method of claim 4, wherein said step (7) is a 
step: wherein said shop verifies the validity of said 
issuer signature Sj(X.n) contained in said electronic 
cash C by using said public signature verification 
key PS r and, if valid, calculates a one-way function 30 
f(TIME,W) using time information TIME and shop 
information W as variables, then generates said 
information e and sends it to said user together with 
said time information TIME and said shop informa- 
tion W as well; and 35 

wherein said user calculates a one-way 
function e=f (TIME.W) using said time information 
TIME and said shop information W as variables, 
then compares said one-way function e with said 
information e sent from said shop and, if they 40 
match, sends said information {y,Su(e,y)} to said 
shop. 

6. The method of claim 4, wherein said step (9) com- 
prises: 45 

step (9a) wherein said issuer makes a check to 
see if said information n derived from said com- 
munication data received from said shop is 
already registered in said inspection data base; 50 
step (9b) wherein if said information n is regis- 
tered, said issuer updates with a value Y+y the 
total amount of money used Y corresponding to 
said information n, 

step (9c) wherein said issuer makes a check to 55 
see if said value Y+y is smaller than said face 
value X and, if so, instructs said bank to trans- 
fer said amount of money y to a bank account 
of said shop; 



step (9d) wherein if Y+y=X , said issuer erases 
said information n from said inspection data 
base; and 

step (9e) wherein if Y+y>X, said issuer decides 
that said user overspent, and sends said infor- 
mation E| to said bank to specify the mane of 
overspender from information stored in a user 
data base of said bank. 

7. The method of claim 1 or 2, wherein said informa- 
tion n=g(N u ) is n=N u . 

8. The method of claim 1 or 2, wherein said step (7) 
includes a step wherein when said electronic cash 
is verified to be valid by said shop, said user 
updates the balance x of said electronic cash with a 
value x-y. 

9. The method of claim 1 or 2, wherein said step (4) 
includes a step wherein said issuer sends said 
enciphered issuer signature E K to said user via said 
bank. 

10. A user apparatus for an electronic cash system 
which is composed of an electronic cash issuer, a 
bank which manages account information of a user, 
a user who uses electronic cash for payment, and a 
shop which receives a payment by electronic cash, 
said user apparatus comprising: 

input means for inputting an amount of money 
X and an amount of payment y; 
cipher key generating means for generating a 
cipher key K; Key generating means for gener- 
ating a signature generating key SSy and a sig- 
nature verification key Nu; 
encipher means for enciphering said amount of 
money X and said keys K and N u by a public 
cipher function E| of said electronic cash issuer 
to obtain the information EifX.K.Nu); 
means for sending to said bank said enci- 
phered information E|(X,K,Nu), user informa- 
tion U and a message requesting said bank to 
withdraw said amount of money X from a bank 
account of said user; 

decipher means for deciphering enciphered 
issuer signature from said bank by said key K 
to obtain a signature S^X.Ny) of said issuer; 
signature generating means for generating a 
user signature S^e.y) by said user signature 
generating key SS U for information e in infor- 
mation received from said shop and said 
amount of payment y; and 
means for sending said amount of money X, 
said amount of payment y, said signature verifi- 
cation key Ny and said signatures SrfX.Nu) and 
Su(e,y) to said shop. 

11. A bank apparatus for an electronic cash system 
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which is composed of an electronic cash issuer, a 
bank which manages account information of a user, 
a user who uses electronic cash for payment, and a 
shop which receives a payment by electronic cash, 
said user bank comprising: 5 

means for receiving from said user enciphered 
information E|(X,K,Nu), user information U and 
a request for issuance of electronic cash of a 
face value X; 10 
a user data base for storing said enciphered 
information E ( (X ( K,Nu) and said user informa- 
tion U in correspondence with each other; 
means for attaching a bank signature S B to 
said enciphered information E,(X,K,Nu) and 15 
said amount of money X to obtain information 
S B (X,E|(X,K,Nu)) and for sending it to said 
issuer together with said amount of money X 
and said enciphered information E|(X,K,Nu); 
means for sending to said user said enciphered 20 
issuer signature E K received from said issuer; 
and 

means for retrieving from said user data base 
said user information U corresponding to said 
enciphered user information E^X.K.Ny) 25 
received together with a retrieval request from 
said electronic cash issuer. 

12. An electronic cash issuer apparatus for an elec- 
tronic cash system which is composed of an elec- 30 
tronic cash issuer, a bank which manages account 
information of a user, a user who uses electronic 
cash for payment, and a shop which receives a pay- 
ment by electronic cash, said user bank compris- 
ing: 35 

decipher means for deciphering enciphered 
information EifX.K.Ny) from the bank by a 
secret key SE| of a public key cryptosystem to 
obtain an amount of money X, user cipher key 40 
K and a user signature verification key N y ; 
an inspection data base for registering said 
user signature verification key N Ut said enci- 
phered information E ( (X,K,Nu) and the total 
amount of money paid so far Y as a set; 45 
signature generating means for generating an 
issuer signature S|(X,N U ) for said amount of 
money X and said user signature verification 
key Nu; 

encipher means for enciphering said issuer sig- so 
nature S|(X,Nu) by using said user cipher key K 
t as a key therefor; 
means which receives from said shop commu- 
nication information H concerning payment by 
electronic cash, reads out of said inspection 55 
data base said total amount of money used Y 
corresponding to said user signature verifica- 
tion key N U( then adds said total amount of 
money paid so far Y with an amount of payment 



y. and updates said total amount of money Y; 
means which makes a check to see if said 
updated total amount of money Y is smaller 
than said amount of money X, and if so, 
instructs said bank to transfer said amount of 
payment y to a bank account of shop informa- 
tion W contained in said received information 
H; 

a history data base for recording therein said 
received information H; and 
means which, when said updated total amount 
of money Y is equal to or larger than said 
amount of money X, erases from said inspec- 
tion data base the record corresponding to said 
user signature verification key U u and, when 
said updated total amount of money Y is larger 
than said total amount of money Y, reads out of 
said inspection data base said enciphered 
information E|(X,K,Nu) corresponding to said 
verification key N y and sends said read-out 
information E,(X,K,Nu) to said bank so as to 
trace an abuser or overspender. 

13. A^shop apparatus for an electronic cash system 
which is composed of an electronic cash issuer, a 
bank which manages account information of a user, 
a user who uses electronic cash for payment, and a 
shop which receives a payment by electronic cash, 
said user bank comprising: 

means for receiving electronic cash C, the 
amount of payment y and a user signature 
Su(e,y) from said user; 

issuer signature verifying means for verifying 
the validity of an issuer signature S|(X,Nu) in 
said electronic cash C received from the user; 
user signature verifying means for verifying the 
validity of said received user signature by using 
said received user signature verification key 
N u: 

means for making a check to see if said 
received amount of payment y is smaller than 
the amount of money X in said received elec- 
tronic cash C; 

means for generating information e using shop 
information W as a variable and for sending 
said information e to said user; and 
means for sending, to said issuer, communica- 
tion data between said user and said shop con- 
cerning the payment by said electronic cash. 
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